Found 60 bookmarks
Custom sorting
Hackers who exposed North Korean government hacker explain why they did it | TechCrunch
Hackers who exposed North Korean government hacker explain why they did it | TechCrunch
techcrunch.com 2025/08/21 - The two self-described hacktivists said they had access to the North Korean spy’s computer for around four months before deciding what they had found should be made public. Earlier this year, two hackers broke into a computer and soon realized the significance of what this machine was. As it turned out, they had landed on the computer of a hacker who allegedly works for the North Korean government. The two hackers decided to keep digging and found evidence that they say linked the hacker to cyberespionage operations carried out by North Korea, exploits and hacking tools, and infrastructure used in those operations. Saber, one of the hackers involved, told TechCrunch that they had access to the North Korean government worker’s computer for around four months, but as soon as they understood what data they got access to, they realized they eventually had to leak it and expose what they had discovered. “These nation-state hackers are hacking for all the wrong reasons. I hope more of them will get exposed; they deserve to be,” said Saber, who spoke to TechCrunch after he and cyb0rg published an article in the legendary hacking e-zine Phrack, disclosing details of their findings. There are countless cybersecurity companies and researchers who closely track anything the North Korean government and its many hacking groups are up to, which includes espionage operations, as well as increasingly large crypto heists and wide-ranging operations where North Koreans pose as remote IT workers to fund the regime’s nuclear weapons program. In this case, Saber and cyb0rg went one step further and actually hacked the hackers, an operation that can give more, or at least different, insights into how these government-backed groups work, as well as “what they are doing on a daily basis and so on,” as Saber put it. The hackers want to be known only by their handles, Saber and cyb0rg, because they may face retaliation from the North Korean government, and possibly others. Saber said that they consider themselves hacktivists, and he name-dropped legendary hacktivist Phineas Fisher, responsible for hacking spyware makers FinFisher and Hacking Team, as an inspiration. At the same time, the hackers also understand that what they did is illegal, but they thought it was nonetheless important to publicize it. “Keeping it for us wouldn’t have been really helpful,” said Saber. “By leaking it all to the public, hopefully we can give researchers some more ways to detect them.” “Hopefully this will also lead to many of their current victims being discovered and so to [the North Korean hackers] losing access,” he said. “Illegal or not, this action has brought concrete artifacts to the community; this is more important,” said cyb0rg in a message sent through Saber. Saber said they are convinced that while the hacker — who they call “Kim” — works for North Korea’s regime, they may actually be Chinese and work for both governments, based on their findings that Kim did not work during holidays in China, suggesting that the hacker may be based there. Also, according to Saber, at times Kim translated some Korean documents into simplified Chinese using Google Translate. Saber said that he never tried to contact Kim. “I don’t think he would even listen; all he does is empower his leaders, the same leaders who enslave his own people,” he said. “I’d probably tell him to use his knowledge in a way that helps people, not hurt them. But he lives in constant propaganda and likely since birth so this is all meaningless to him.” He’s referring to the strict information vacuum that North Koreans live in, as they are largely cut off from the outside world. Saber declined to disclose how he and cyb0rg got access to Kim’s computer, given that the two believe they can use the same techniques to “obtain more access to some other of their systems the same way.” During their operation, Saber and cyb0rg found evidence of active hacks carried out by Kim, against South Korean and Taiwanese companies, which they say they contacted and alerted. North Korean hackers have a history of targeting people who work in the cybersecurity industry as well. That’s why Saber said he is aware of that risk, but “not really worried.” “Not much can be done about this, definitely being more careful though :),” said Saber.
#techcrunch.com#EN#2025#Hackers#North-Korea#Saber#cyb0rg
·techcrunch.com·
Hackers who exposed North Korean government hacker explain why they did it | TechCrunch
Arizona woman sentenced to 8.5 years for running North Korean laptop farm
Arizona woman sentenced to 8.5 years for running North Korean laptop farm
therecord.media - Prosecutors said Chapman helped the North Korean IT workers obtain jobs at 309 companies, including a major television network, a car maker, a media company, a Silicon Valley technology company and more. A U.S. District Court judge sentenced an Arizona woman to eight and a half years in prison for running a laptop farm used by North Korea’s government to perpetrate its IT worker scheme. Christina Chapman pleaded guilty in February to wire fraud, money laundering and identity theft after the FBI discovered she was an instrumental cog in a wider campaign to get North Koreans hired in six-figure IT roles at prominent companies. Prosecutors said Chapman helped the North Korean IT workers obtain jobs at 309 companies, including a major television network, a car maker, a media company, a Silicon Valley technology company and more. Members of the same group unsuccessfully tried to get employed at two different U.S. government agencies. After North Korean officials obtained employment using fake identities, work laptops were sent to a home owned by Chapman, where she enabled the workers to connect remotely to the U.S. companies’ IT networks on a daily basis. The FBI seized more than 90 laptops from Chapman’s home during an October 2023 raid. In addition to hosting the laptops and installing software that allowed the North Koreans to access them remotely, she also shipped 49 laptops to locations overseas, including multiple shipments to a Chinese city on the North Korean border. In total, Chapman’s operation helped generate $17 million for the North Korean government. Security companies and law enforcement have not said how many laptop farms they estimate are scattered across North America and Europe but the DOJ called Chapman’s case “one of the largest North Korean IT worker fraud schemes charged by the Department of Justice.” Her part of the operation involved 68 stolen identities and she reported millions in income to the IRS under the names of the people who had their identity stolen. She forged payroll checks with the fake identities and typically managed the wages received from U.S. companies through direct deposit. She would then transfer the earnings to people overseas. District Court Judge Randolph Moss ordered the 50-year-old Chapman to serve a 102-month prison term and three years of supervised release. She will have to forfeit nearly $300,000 that she planned to send to North Korea before her arrest and will pay a fine of more than $175,000. Chapman was arrested last May as part of a wider takedown of North Korea’s scheme to have hundreds of their citizens hired at unwitting U.S. companies in IT positions. Chapman was initially charged alongside a 27-year-old Ukrainian, Oleksandr Didenko, for helping at least three workers who operated under the aliases Jiho Han, Chunji Jin and Haoran Xu. The three were hired as software and applications developers with companies in a range of sectors and industries. U.S. State Department officials said the three North Koreans assisted by Chapman and Didenko “are linked to the DPRK’s Munitions Industry Department, which oversees the development of the DPRK’s ballistic missiles, weapons production, and research and development programs.” Didenko was arrested in Poland last year and the U.S. is seeking his extradition.
#therecord.media#EN#2025#North-Korea#workers#US#FBI#guilty#sentenced
·therecord.media·
Arizona woman sentenced to 8.5 years for running North Korean laptop farm
NimDoor crypto-theft macOS malware revives itself when killed
NimDoor crypto-theft macOS malware revives itself when killed
North Korean state-backed hackers have been using a new family of macOS malware called NimDoor in a campaign that targets web3 and cryptocurrency organizations. Researchers analyzing the payloads discovered that the attacker relied on unusual techniques and a previously unseen signal-based persistence mechanism. The attack chain, which involves contacting victims via Telegram and luring them into running a fake Zoom SDK update, delivered via Calendly and email, resembles the one Huntress managed security platform recently linked to BlueNoroff. Advanced macOS malware In a report today, researchers at cybersecurity company SentinelOne says that the threat actor used C++ and Nim-compiled binaries (collectively tracked as NimDoor ) on macOS, which "is a more unusual choice." One of the Nim-compiled binaries, 'installer', is responsible for the initial setup and staging, preparing directories and config paths. It also drops other two binaries - 'GoogIe LLC,' 'CoreKitAgent', onto the victim's system. GoogIe LLC takes over to collect environment data and generate a hex-encoded config file, writing it to a temp path. It sets up a macOS LaunchAgent (com.google.update.plist) for persistence, which re-launches GoogIe LLC at login and stores authentication keys for later stages. The most advanced componentused in the attack is CoreKitAgent, the main payload of the NimDoor framework, which operates as an event-driven binary, using macOS's kqueue mechanism to asynchronously manage execution. It implements a 10-case state machine with a hardcoded state transition table, allowing flexible control flow based on runtime conditions. The most distinctive feature is its signal-based persistence mechanisms, where it installs custom handlers for SIGINT and SIGTERM.
#bleepingcomputer#EN#2025#macOS#Malware#Nim#NimDoor#Persistence#North-Korea
·bleepingcomputer.com·
NimDoor crypto-theft macOS malware revives itself when killed
North Korea Infiltrates U.S. Remote Jobs—With the Help of Everyday Americans
North Korea Infiltrates U.S. Remote Jobs—With the Help of Everyday Americans
A LinkedIn message drew a former waitress in Minnesota into a type of intricate scam involving illegal paychecks and stolen data Christina Chapman looked the part of an everyday American trying to make a name for herself in hustle culture. In prolific posts on her TikTok account, which grew to more than 100,000 followers, she talked about her busy life working from home with clients in the computer business and the fantasy book she had started writing. She posted about liberal political causes, her meals and her travels to see her favorite Japanese pop band. Yet in reality the 50-year-old was the operator of a “laptop farm,” filling her home with computers that allowed North Koreans to take jobs as U.S. tech workers and illegally collect $17.1 million in paychecks from more than 300 American companies, according to federal prosecutors. In a June 2023 video, she said she didn’t have time to make her own breakfast that morning—“my clients are going crazy,” she said. Then she describes the açaí bowl and piña colada smoothie she bought. As she talks, at least 10 open laptops are visible on the racks behind her, their fans audibly whirring, with more off to the side. In 2023, Christina Chapman posted a TikTok that had racks of laptops visible in the background. The Wall Street Journal highlighted the laptops in this clip of the video. Chapman was one of an estimated several dozen “laptop farmers” that have popped up across the U.S. as part of a scam to infiltrate American companies and earn money for cash-strapped North Korea. People like Chapman typically operate dozens of laptops meant to be used by legitimate remote workers living in the U.S. What the employers—and often the farmers themselves—don’t realize is that the workers are North Koreans living abroad but using stolen U.S. identities. Once they get a job, they coordinate with someone like Chapman who can provide some American cover—accepting deliveries of the computer, setting up the online connections and helping facilitate paychecks. Meanwhile the North Koreans log into the laptops from overseas every day through remote-access software. Chapman fell into her role after she got a request on LinkedIn to “be the U.S. face” for a company that got jobs for overseas IT workers, according to court documents. There’s no indication that she knew she was working with North Koreans.
#wsj#EN#2025#North-Korea#US#LinkedIn#Infiltrates#Jobs#TikTok#company#work#fake
·wsj.com·
North Korea Infiltrates U.S. Remote Jobs—With the Help of Everyday Americans
British firms urged to hold video or in-person interviews amid North Korea job scam | Technology | The Guardian
British firms urged to hold video or in-person interviews amid North Korea job scam | Technology | The Guardian
Google intelligence report finds UK is a particular target of IT worker ploy that sends wages to Kim Jong Un’s state British companies are being urged to carry out job interviews for IT workers on video or in person to head off the threat of giving jobs to fake North Korean employees. The warning was made after analysts said that the UK had become a prime target for hoax IT workers deployed by the Democratic People’s Republic of Korea. They are typically hired to work remotely, enabling them to escape detection and send their wages to Kim Jong-un’s state. Google said in a report this month that a case uncovered last year involved a single North Korean worker deploying at least 12 personae across Europe and the US. The IT worker was seeking jobs within the defence industry and government sectors. Under a new tactic, the bogus IT professionals have been threatening to release sensitive company data after being fired.
#theguardian#EN#2025#scam#North-Korea#jobs#warning#UK#Google#in-person#interviews
·theguardian.com·
British firms urged to hold video or in-person interviews amid North Korea job scam | Technology | The Guardian
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)
  • Trend Research has identified multiple IP address ranges in Russia that are being used for cybercrime activities aligned with North Korea. These activities are associated with a cluster of campaigns related to the Void Dokkaebi intrusion set, also known as Famous Chollima. The Russian IP address ranges, which are concealed by a large anonymization network that uses commercial VPN services, proxy servers, and numerous VPS servers with RDP, are assigned to two companies in Khasan and Khabarovsk. Khasan is a mile from the North Korea-Russia border, and Khabarovsk is known for its economic and cultural ties with North Korea. Trend Research assesses that North Korea deployed IT workers who connect back to their home country through two IP addresses in the Russian IP ranges and two IP addresses in North Korea. Trend Micro’s telemetry strongly suggests these DPRK aligned IT workers work from China, Russia and Pakistan, among others. Based on Trend Research’s assessment, North Korea-aligned actors use the Russian IP ranges to connect to dozens of VPS servers over RDP, then perform tasks like interacting on job recruitment sites and accessing cryptocurrency-related services. Some servers involved in their brute-force activity to crack cryptocurrency wallet passwords fall within one of the Russian IP ranges. Instructional videos have also been found with what it looks like non-native English text, detailing how to set up a Beavertail malware command-and-control server and how to crack cryptocurrency wallet passwords. This makes it plausible that North Korea is also working with foreign conspirators. IT professionals in Ukraine, US, and Germany have been targeted in these campaigns by fictitious companies that lure them into fraudulent job interviews. Trend Research assesses that the primary focus of Void Dokkaebi is to steal cryptocurrency from software professionals interested in cryptocurrency, Web3, and blockchain technologies. Trend Vision One™ detects and blocks the IOCs discussed in this blog. Trend Vision One customers can also access hunting queries, threat insights, and threat intelligence reports to gain rich context and the latest updates on Void Dokkaebi.
#trendmicro#EN#2025#Russia#North-Korea#network#research#infrastructure#IoCs
·trendmicro.com·
Russian Infrastructure Plays Crucial Role in North Korean Cybercrime Operations | Trend Micro (US)
Why are North Korean hackers such good crypto-thieves?
Why are North Korean hackers such good crypto-thieves?
FEBRUARY 21st was a typical day, recalls Ben Zhou, the boss of ByBit, a Dubai-based cryptocurrency exchange. Before going to bed, he approved a fund transfer between the firm’s accounts, a “typical manoeuvre” performed while servicing more than 60m users around the world. Half an hour later he got a phone call. “Ben, there’s an issue,” his chief financial officer said, voice shaking. “We might be hacked…all of the Ethereum is gone.”
#The-Economist#EN#2025#archive.ph#North-Korea#hackers#crypto-thieves
·archive.ph·
Why are North Korean hackers such good crypto-thieves?
Astrill VPN and Remote Worker Fraud - Spur
Astrill VPN and Remote Worker Fraud - Spur
"Recently, various intelligence and threat analysis teams have identified a concerning trend: North Korean state actors are infiltrating companies and organizations around the world in an attempt to facilitate the clandestine transfer of funds to support North Korea’s state apparatus. Specifically, these actors have favored the use of Astrill VPN to obscure their digital footprints while applying for remote positions." "While it’s been several months since these articles were published, we continue to see reports from our customers of fraudulent re mote worker campaigns originating from Astrill VPN IP addresses."
#spur.us#EN#2024#Astrill#VPN#IP#addresses#IoC#North-Korea#infiltrating
·spur.us·
Astrill VPN and Remote Worker Fraud - Spur
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON | Microsoft Security Blog
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON | Microsoft Security Blog
At CYBERWARCON 2024, Microsoft Threat Intelligence analysts will share research and insights on North Korean and Chinese threat actors representing years of threat actor tracking, infrastructure monitoring and disruption, and their attack tooling.
#microsoft#EN#2024#CYBERWARCON#DPRK#North-Korea#China#analysis#intlligence
·microsoft.com·
Microsoft shares latest intelligence on North Korean and Chinese threat actors at CYBERWARCON | Microsoft Security Blog
Office of Public Affairs | North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers | United States Department of Justice
Office of Public Affairs | North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers | United States Department of Justice
Hacking Group Known as “Andariel” Used Ransom Proceeds to Fund Theft of Sensitive Information from Defense and Technology Organizations Worldwide, Including U.S. Government Agencies
#justice.gov#EN#2024#North-Korea#Hacker#Charged#Andariel#US
·justice.gov·
Office of Public Affairs | North Korean Government Hacker Charged for Involvement in Ransomware Attacks Targeting U.S. Hospitals and Health Care Providers | United States Department of Justice
North Korean hackers are stealing military secrets, say U.S. and allies
North Korean hackers are stealing military secrets, say U.S. and allies
North Korean hackers have conducted a global cyber espionage campaign in efforts to steal classified military secrets to support Pyongyang's banned nuclear weapons programme, the United States, Britain and South Korea said in a joint advisory on Thursday. The hackers, dubbed Anadriel or APT45 by cybersecurity researchers, are believed to be part of North Korea's intelligence agency known as the Reconnaissance General Bureau, an entity sanctioned by the U.S. in 2015.
#reuters#EN#2024#North-Korea#Anadriel#APT45#spy#stealing
·reuters.com·
North Korean hackers are stealing military secrets, say U.S. and allies
N. Korean hacking group stole massive amount of personal info from S. Korean court computer network
N. Korean hacking group stole massive amount of personal info from S. Korean court computer network
A North Korean hacking group had stolen a massive amount of personal information from a South Korean court computer network, probe results showed on Saturday. A total of 1,014 gigabytes worth of data and documents were leaked from Seoul's court computer network between January 2021 and February 2023 by the hacking group, presumed to be Lazarus, according to the joint probe by the police, the prosecution and the National Intelligence Service.
#m-en.yna.co.kr#North-Korea#stolen#Seoul#Lazarus#Court#South-Korea
·m-en.yna.co.kr·
N. Korean hacking group stole massive amount of personal info from S. Korean court computer network
North Korea’s Post-Infection Python Payloads – One Night in Norfolk
North Korea’s Post-Infection Python Payloads – One Night in Norfolk
Throughout the past few months, several publications have written about a North Korean threat actor group’s use of NPM packages to deploy malware to developers and other unsuspecting victims. This blog post provides additional details regarding the second and third-stage malware in these attacks, which these publications have only covered in limited detail.
#norfolkinfosec#EN#2024#NPM#packages#Phlyum#malware#North-Korea#phyton#payloads
·norfolkinfosec.com·
North Korea’s Post-Infection Python Payloads – One Night in Norfolk